A novel malware initiative has emerged, exploiting the update mechanism of the eScan antivirus software to disseminate backdoors and cryptocurrency miners, including XMRig, through a longstanding threat named GuptiMiner, which targets extensive corporate networks.
As per cybersecurity firm Avast, this activity is attributed to a threat actor potentially linked to a North Korean hacking group referred to as Kimsuky, also known by aliases such as Black Banshee, Emerald Sleet, and TA427.
“GuptiMiner represents a highly sophisticated threat, employing an intriguing infection chain coupled with several techniques, such as executing DNS requests to the attacker’s DNS servers, sideloading, extracting payloads from seemingly innocent images, and signing its payloads with a custom trusted root anchor certification authority,” stated Avast.
The intricate infection chain exploits a security vulnerability in the update mechanism of the Indian antivirus provider eScan, orchestrating the malware propagation through an adversary-in-the-middle (AitM) maneuver.
Precisely, this entails intercepting the updates by substituting the package file with a malicious version, exploiting the absence of signatures and HTTPS encryption. This oversight, lingering unnoticed for at least five years, was rectified as of July 31, 2023.
The rogue DLL (“updll62.dlz”) initiated by the eScan software sideloads a DLL (“version.dll”), initiating a multi-stage sequence commencing with a PNG file loader, which, in turn, utilizes malicious DNS servers to establish contact with a command-and-control (C2) server and retrieve a PNG file appended with shellcode.
“GuptiMiner operates its DNS servers to serve genuine destination domain addresses of C&C servers via DNS TXT responses,” elaborated researchers Jan Rubín and Milánek.
“Given that the malware connects directly to the malicious DNS servers, the DNS protocol remains entirely isolated from the DNS network, ensuring that no legitimate DNS server intercepts the traffic from this malware.”
Subsequently, the PNG file is parsed to extract the shellcode, responsible for executing a Gzip loader tasked with decompressing another shellcode using Gzip and executing it in a separate thread.
The third-stage malware, dubbed Puppeteer, orchestrates the entire operation, ultimately deploying the XMRig cryptocurrency miner and backdoors on the compromised systems.
Avast identified two distinct types of backdoors equipped with functionalities facilitating lateral movement, command reception from the threat actor, and the deployment of additional components as necessary.
“The first type comprises an enhanced build of PuTTY Link, facilitating SMB scanning of the local network and enabling lateral movement to potentially vulnerable systems running Windows 7 and Windows Server 2008,” elucidated the researchers.
“The second backdoor is multi-modular, accepting commands from the attacker to install additional modules, and focusing on scanning for stored private keys and cryptocurrency wallets on the local system.”
The deployment of XMRig, albeit unexpected within the context of a complex operation, suggests its utilization as a diversionary tactic to obfuscate the true scope of the compromise.
GuptiMiner, known to be operational since at least 2018, employs various techniques including anti-VM and anti-debug measures, code virtualization, deployment of the PNG loader during system shutdown events, storage of payloads in the Windows Registry, and addition of a root certificate to the Windows certificate store to lend credibility to the PNG loader DLLs.
The association with Kimusky stems from an information-stealing component, not distributed by GuptiMiner or part of the infection chain, yet used extensively across the GuptiMiner campaign and sharing similarities with a previously identified keylogger utilized by the group.
The campaign’s targets remain unclear; however, GuptiMiner artifacts have been uploaded to VirusTotal from India and Germany as early as April 2018, with Avast telemetry data indicating new infections likely originating from outdated eScan clients.
These revelations coincide with the Korean National Police Agency (KNPA) attributing cyber intrusions to North Korean hacking units such as Lazarus, Andariel, and Kimsuky, targeting the defense sector and exfiltrating sensitive data from select entities.
A report by the Korea Economic Daily disclosed that threat actors breached the networks of 83 South Korean defense contractors, pilfering confidential information from approximately 10 of them between October 2022 and July 2023.
